Flashes of Panic

Ben Hammersley continues to work on the real digital divide, pointing out how the discourse about computer security has shifted from “secure your machine to protect yourself” to “secure your machine to protect everyone else.”

We’ve done a decent job in reducing spyware scanning and anti-virus software to a relatively user-friendly level. The sticking point right now is firewalls, and there’s a lot of talk about them because of the starring role the firewall plays in XP SP2. Any system with a direct connection to the internet should be behind some sort of firewall, but millions are jacked directly in to cable modem or DSL connections by people who don’t know why a firewall is important.

The problem is that firewalls are complicated concepts, and in my mind, you really need to grasp a few non-trivial IP networking concepts (addressing, ports, and protocols) before you can get a good handle on what your firewall is doing. And knowing what the firewall is doing is (again, the way I see it) critical to configuring it well. You need to know what you want it to allow, and that’s not a one-size-fits-all answer; it varies slightly for every application and therefore for every host. You wouldn’t believe how long it took me to configure a working firewall on our gateway server.

Now, something about me wants to get across those core concepts first, so anything I wrote about firewalls would be about the length of a book chapter. But the average user doesn’t care. They just want it to work, and then forget about it; they don’t want all the warnings from ZoneAlarm when they fire up AIM. If they installed it to begin with, they disable it.

I wonder if a firewall can be created which can be used by someone who knows little or nothing about networks. Maybe it does a short interview at start-up time (“Do you use IM? How about file sharing?”) that is low jargon (one of the classic battles of the network admin is integrating a firewall with a VPN, which isn’t made any more clear if you know that VPN stands for Virtual Private Network.) Maybe this hypothetical firewall could secure your grandmother’s Windows box without either of you needing to know the difference between UDP and TCP. (Leaving us only with the question of why you would inflict Windows on your grandmother.) Maybe it would both protect her from port-scanning script-kiddies and protect the rest of us from the malware-spewing spyware she downloaded by accident. (Another catch: a firewall won’t protect you against something that comes in by “normal” channels, like a requested website, or an email message, and nothing will protect you from social engineering.)

There’s some literature and documentation out there; there’s even Firewalls for Dummies. I don’t know if it’s effective, since I went the hard way myself (man pages, and the like) but before even the Dummies titles can be useful, the user has to know they need a firewall and that they need to configure it well. They need to be convinced to spend some time on it. That’s a bit of evangelism I’m definitely not well equipped for.

I don’t know. I learned this stuff, now I know it, and I can’t un-know it in order to put myself in another’s shoes. Or at their keyboard.

Now playing: We Never Change from Parachutes by Coldplay